Showing results for 
Search instead for 
Did you mean: 

How to add Microsoft Azure as data source..

Hello Team,

We need your help in integration/adding of Microsoft azure with McAfee SIEM. Please guide me how to do so.

Please share the Prerequisites or steps..

Always thankful for community members..


6 Replies

Re: How to add Microsoft Azure as data source..

Dear Team,

We need your help.Kindly update.

Level 9
Report Inappropriate Content
Message 3 of 7

Re: How to add Microsoft Azure as data source..

There is currently not a Virtual Event Receiver compatible with Microsoft Azure cloud. The only way to get log collection in Azure is to forward the logs to a Event Receiver outside the Azure environment. The method we use is via Agent Collector installed on all hosts within Azure which forward their logs via encrypted channel to Event Receiver in our DMZ.

Re: How to add Microsoft Azure as data source..

Hi Btkarp,

Thank you for your update. Are you already worked on it,if yes so please share a summarized document which may help to move step by step.


Level 9
Report Inappropriate Content
Message 5 of 7

Re: How to add Microsoft Azure as data source..

Yes, I am currently collecting Windows logs from multiple servers being hosted in an Azure environment. However, the Event Receiver does not live on the same network. Make sure any traffic that is traversing the internet is encrypted (you can enable encryption at the beginning of the collector installation)

McAfee KnowledgeBase - How to install SIEM Collector for WMI event collection

1. Install the Agent Collector following the directions above.

2. You will then need to build and configure your Event Receiver OUTSIDE of the Azure network.

3. Point the collector agent to the Event Receiver IP.

4. Make sure routing and firewall rules are updated and allow the traffic.

Thats it. Should be good to go. Side note: We had issues with the Collector 11 in Azure. The Collector Agent service would fail almost instantly - check your logs for this problem. McAfee Support was able to provide a beta version of the Collector 11 that prevented the issue. I would not be surprised if you ran into the same issue with the Collector Agent currently available for download.

Best of Luck,


Level 7
Report Inappropriate Content
Message 6 of 7

Re: How to add Microsoft Azure as data source..

We are using a commercial solution to do that from They have build a cloud services connectors middleware, that collects the events from the cloud services using their APIs, and send to our customers on-premise ESM.

The events they send are in CEF format and sent over syslog.

We have deployed their middleware so far next to our customer's ESM, and it pulls the events from the cloud services and send internally which means we are ok from Firewall/DMZ perspective.

AFAIK they have an Azure connector as well. We have deployed for our customers their office 365, Salesforce and Box connector so far and it works as you would expect.

Re: How to add Microsoft Azure as data source..


you can try this read article - Integrate logs from Azure resources into your SIEM systems | Microsoft Docs

It's universal solution from Microsoft.

Best regards.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community